summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHironori Shiina <shiina.hironori@jp.fujitsu.com>2022-03-03 21:39:14 -0500
committerHironori Shiina <shiina.hironori@jp.fujitsu.com>2022-03-07 18:12:17 -0500
commitd2f77c256836e8a1a562d56eed7d92fdb18a2f76 (patch)
tree0236f36d71cb52bb342da22abce030a84152f546
parent4a242b1327fb34e6cac6c1686afb3370901180d3 (diff)
downloadpodman-d2f77c256836e8a1a562d56eed7d92fdb18a2f76.tar.gz
podman-d2f77c256836e8a1a562d56eed7d92fdb18a2f76.tar.bz2
podman-d2f77c256836e8a1a562d56eed7d92fdb18a2f76.zip
Set default rule at the head of device configuration
The default rule should be set at the head of device configuration. Otherwise, rules for user devices are overridden by the default rule so that any access to the user devices are denied. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
-rw-r--r--pkg/specgen/generate/oci.go6
-rw-r--r--test/e2e/run_device_test.go5
2 files changed, 10 insertions, 1 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 8b3550e36..1cc3a463f 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -332,6 +332,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
// Devices
+ // set the default rule at the beginning of device configuration
+ if !inUserNS && !s.Privileged {
+ g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
+ }
+
var userDevices []spec.LinuxDevice
if s.Privileged {
// If privileged, we need to add all the host devices to the
@@ -363,7 +368,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
// set the devices cgroup when not running in a user namespace
if !inUserNS && !s.Privileged {
- g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
for _, dev := range s.DeviceCgroupRule {
g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
}
diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go
index b8bdc84f8..479837dda 100644
--- a/test/e2e/run_device_test.go
+++ b/test/e2e/run_device_test.go
@@ -44,6 +44,11 @@ var _ = Describe("Podman run device", func() {
session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "test", "-c", "/dev/kmsg"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
+ if !isRootless() {
+ session = podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", "--cap-add", "SYS_ADMIN", ALPINE, "head", "-n", "1", "/dev/kmsg"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Exit(0))
+ }
})
It("podman run device rename test", func() {